diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2019-12-17 13:08:57 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2019-12-17 13:08:57 +0000 |
| commit | 93c5a80cd9505a17528ed97b6fc75b8a12a2adc6 (patch) | |
| tree | b744b8472950e501afef29498928e14ae3b24652 /etc/MAKEDEV.common | |
| parent | 3a713a9a6753ac8aa6d5e955f64f8b47b79e516a (diff) | |
Add fido(4), a HID driver for FIDO/U2F security keys
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
Diffstat (limited to 'etc/MAKEDEV.common')
| -rw-r--r-- | etc/MAKEDEV.common | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/MAKEDEV.common b/etc/MAKEDEV.common index bd611225f27..c726bfe8a0e 100644 --- a/etc/MAKEDEV.common +++ b/etc/MAKEDEV.common @@ -1,4 +1,4 @@ -vers(a, {-$OpenBSD: MAKEDEV.common,v 1.105 2019/12/14 05:05:46 deraadt Exp $-})dnl +vers(a, {-$OpenBSD: MAKEDEV.common,v 1.106 2019/12/17 13:08:54 reyk Exp $-})dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org> dnl @@ -177,6 +177,7 @@ __devitem(ramdisk, ramdisk, Ramdisk kernel devices,nothing)dnl dnl target(usb, usb, 0, 1, 2, 3, 4, 5, 6, 7)dnl target(usb, uhid, 0, 1, 2, 3, 4, 5, 6, 7)dnl +twrget(usb, fido, fido)dnl target(usb, ulpt, 0, 1)dnl target(usb, ugen, 0, 1, 2, 3, 4, 5, 6, 7)dnl target(usb, ttyU, 0, 1, 2, 3)dnl @@ -357,6 +358,10 @@ _mkdev({-usb-}, usb*, {-[ "$i" = "usb" ] && u= || u=$U M usb$u c major_usb_c $U 640-})dnl __devitem(uhid, uhid*, Generic HID devices)dnl _mcdev({-uhid-}, uhid*, {-uhid-}, {-major_uhid_c-}, 600)dnl +__devitem(fido, fido, fido/* nodes, fd)dnl +_mkdev(fido, fido, {-RMlist[${#RMlist[*]}]=";mkdir -p fido;rm -f" n=0 + while [ $n -lt 4 ];do M fido/$n c major_fido_c $n 666;n=Add($n, 1);done + MKlist[${#MKlist[*]}]=";chmod 555 fido"-})dnl __devitem(ulpt, ulpt*, Printer devices)dnl _mcdev({-ulpt-}, ulpt*, {-ulpt-}, {-major_ulpt_c-}, 600)dnl __devitem(ttyU, ttyU*, USB serial ports,ucom)dnl |